Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 561

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

Change the subnet mask from /23 to /24.

Lower the interface MTU value below 1500.

Adjust the TCP maximum segment size (MSS) value.

Enable the Ignore IPv4 Don't Fragment (DF) setting.

Correct Answer: C

To address the issue where return traffic from the web servers is not reaching the users due to the upstream router's MTU being set to 1400 bytes, adjusting the TCP maximum segment size (MSS) value is the correct approach. This setting controls the maximum amount of data that can be transmitted in a TCP packet, thereby ensuring that TCP segments are small enough to fit within the MTU size specified by the upstream router. Altering the TCP MSS to a value lower than or equal to the MTU of 1400 bytes will prevent fragmentation issues and improve connectivity, unlike lowering the interface MTU which would affect all types of traffic and potentially lead to unnecessary overhead.

Discussion

Bubu3kOption: C

The question is stupid, but so are some of the answers here. MTU= max data inside a frame (layer 2 packet) size. MSS max TCP payload. MTU = MSS + 40 (IP header + TCP header). Setting a lower MTU would force a lower MSS. Decreasing MSS also lowers the MTU. Based on how vague B is I would go with C, but, in my book either can work and this question is just dumb the listed answers aren't correct. And for what is worth I'm pretty sure D might work as well

nebulanerd

I wholeheartedly agree with this comment.

brian7857ffs45Option: C

I don't like the wording of B, it says below 1500, well 1480 is below 1500 but would still not fix an MTU IP fragmentation issue as an example. It should say "lower the interface MTU value below 1400" for B to be correct.

pavtoorOption: C

Option C is correct. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG "Please note that even though adjusting the MSS value on the PA firewall solves the issue, the issue is not caused by the Firewall. The issue is caused by other hosts in the path that have lower MTU setting."

KaifusOption: C

Such a wack question and any network guy would troubleshoot this easily if we had hands on the network and could see the messages. My issue with adjusting the MTU is that it doesn't state that we have control over the entire WAN. What happens if the next router in the path has the same problem? Ideally you want to fragment (D) or lower your MSS (C). https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/features-introduced-in-pan-os-9-1/networking-features#:~:text=Ignore%20DF%20(don't%20fragment)%20Bit&text=You%20can%20configure%20the%20firewall,when%20enabled%20through%20the%20CLI. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG Gonna go with C but could argue that D would possibly work as well if we had access to the client's command window :)

ArtbrutOption: C

Agree with pavtoor -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAolCAG&lang=en_US%E2%80%A9

ATRRHMNOption: B

The issue is with the return traffic; packets larger than the MTU might be dropped/fragmented in a way that causes problems. The appropriate action is to adjust the TCP MSS to ensure that packets are smaller than the MTU of the upstream router. This will prevent fragmentation issues and ensure that traffic flows smoothly. Why not B? Lowering the interface MTU affects all traffic, potentially causing unnecessary overhead for traffic that doesn't need to be fragmented. Adjusting the TCP MSS specifically addresses the size of TCP packets, which is typically the type of traffic experiencing the issue in such scenarios.

0d2fdfaOption: B

This is a bad question. But looking at the snippet. I think they want it to be MTU Lots of assumptions can be made about upstream routers. May be they all have lower MTU or some of them only.

hcirOption: C

C is the answer. It says that some upstream router has a low mtu, it does not say that the directly connected router does. Lowering the mtu would have the FW send ICMP need to fragment messages which might work but probably not.

MarshpillowzOption: C

C is correct

JRKhanOption: C

C is correct as per the link from pavtoor. If just MTU is lowered down on the firewall, the firewall will start dropping the packets since it cant fragment them. MSS will need to be lowered down to decrease the overall MTU size of the packets.

Shaun919Option: B

MTU has to match just like in networking for routing/switching. At least from my experience.

anonymous1334232Option: B

It must be B as it’s the pipe that determines the data that can be put through. The tcp segment determines the buffers which is applicable only if the data is reachable.